Re: sha1sum problem
On 24.02.2017 16:45, Bryan Quigley wrote: > I'm going to look at adding the SHA256SUM for all the files in > download.lst. It looks like we can add them without breaking > anything. Then we can test out how we want to switch or if we need to > support both for a bit (platform dependent?). right, and as just discussed on IRC that can even be done without having to rename all the md5-containing filenames on the server, by adding a variable for the SHA256SUM and just ignoring the hash contained in the filename. > On Fri, Feb 24, 2017 at 10:25 AM, Stephan Bergmann > wrote: >> On 02/24/2017 03:47 PM, Norbert Thiebaud wrote: >>> >>> The situation with checksum of 'external' files is much worse that you >>> thought. >>> They are actually checked with md5. >>> That being said they are not truly external, since they are hosted on >>> the project infrastructure >>> and the original motivation was not so much malicious injection >>> detection but faulty transfer. >>> using sha1 there would actually be an 'improvement' :-) actually AFAICS the MD5 usage here is not currently a problem. there are 2 different problems with hash functions, collision attacks and preimage attacks. https://en.wikipedia.org/wiki/Preimage_attack the big news about SHA1 is that somebody successfully performed a collision attack, where they created 2 files from scratch that have the same SHA1. but here we have files that already exist and worry[1] that someone could create another file with the same hash - that is a preimage attack. https://en.wikipedia.org/wiki/MD5#Preimage_vulnerability "In April 2009, a preimage attack against MD5 was published that breaks MD5's preimage resistance. This attack is only theoretical, with a computational complexity of 2^123.4 for full preimage." the SHA1 collision brute-force require 2^80, and less with some clever mathematical insight, so md5 preimage appears at least 2^43 harder. still, if somebody wants to implement using a better hash function, there is no reason to object :) [1] unless the upstream that creates the tarball is actively malicious, but in that case we have other problems ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
On Fri, Feb 24, 2017 at 9:45 AM, Bryan Quigley wrote: > I'm going to look at adding the SHA256SUM for all the files in > download.lst. It looks like we can add them without breaking > anything. Then we can test out how we want to switch or if we need to > support both for a bit (platform dependent?). shasum is already present and working on the supported platform (I checked earlier on mac and windows) so yeah that should be doable pretty much transparently. Supporting a mix of method would be more painful and really not that useful I think. Norbert ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
I'm going to look at adding the SHA256SUM for all the files in download.lst. It looks like we can add them without breaking anything. Then we can test out how we want to switch or if we need to support both for a bit (platform dependent?). Thoughts? Bryan (Of course, technically my SHA256SUMs will be based on the existing HTTP download and MD5SUM...) On Fri, Feb 24, 2017 at 10:25 AM, Stephan Bergmann wrote: > On 02/24/2017 03:47 PM, Norbert Thiebaud wrote: >> >> The situation with checksum of 'external' files is much worse that you >> thought. >> They are actually checked with md5. >> That being said they are not truly external, since they are hosted on >> the project infrastructure > > > ...but downloaded via plain HTTP > >> and the original motivation was not so much malicious injection >> detection but faulty transfer. >> using sha1 there would actually be an 'improvement' :-) >> >> I guess we could convert that to shasum -a 256 > > > ___ > LibreOffice mailing list > LibreOffice@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/libreoffice ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
On Fri, Feb 24, 2017 at 9:25 AM, Stephan Bergmann wrote: > On 02/24/2017 03:47 PM, Norbert Thiebaud wrote: >> >> The situation with checksum of 'external' files is much worse that you >> thought. >> They are actually checked with md5. >> That being said they are not truly external, since they are hosted on >> the project infrastructure > > > ...but downloaded via plain HTTP guilhem is fixing that on all our web services. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
On 02/24/2017 03:47 PM, Norbert Thiebaud wrote: The situation with checksum of 'external' files is much worse that you thought. They are actually checked with md5. That being said they are not truly external, since they are hosted on the project infrastructure ...but downloaded via plain HTTP and the original motivation was not so much malicious injection detection but faulty transfer. using sha1 there would actually be an 'improvement' :-) I guess we could convert that to shasum -a 256 ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
On Fri, Feb 24, 2017 at 8:03 AM, Necdet Yücel wrote: > 2017-02-24 16:42 GMT+03:00 Norbert Thiebaud : >> >> On Fri, Feb 24, 2017 at 5:13 AM, Necdet Yücel >> wrote: >> > Hi, >> > >> > in configure script file integrity is checked by using sha1sums. >> >> You are sure about that ? or you just did a quick git grep sha1sum and >> went from there ? > > > i saw SHA1SUM="openssl sha1" in configure script and wrote here. If it's ok > for LO, then it's ok for me too. Sorry for inconvenience This instance of sha1sum usage is in a test intended to detect a bug in gmake. the input being sha-ed are generated during the test.. this is not suceptible attacks, and even it it was the consequences would be to not detect a buggy gmake and have the build fail possibly later. The situation with checksum of 'external' files is much worse that you thought. They are actually checked with md5. That being said they are not truly external, since they are hosted on the project infrastructure and the original motivation was not so much malicious injection detection but faulty transfer. using sha1 there would actually be an 'improvement' :-) I guess we could convert that to shasum -a 256 Note though that the binaries published by tdf for download come with a variety of hashes to verify against http://download.documentfoundation.org/libreoffice/stable/5.3.0/mac/x86_64/LibreOffice_5.3.0_MacOS_x86-64.dmg.mirrorlist including a pgp signature ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
2017-02-24 16:42 GMT+03:00 Norbert Thiebaud : > On Fri, Feb 24, 2017 at 5:13 AM, Necdet Yücel > wrote: > > Hi, > > > > in configure script file integrity is checked by using sha1sums. > > You are sure about that ? or you just did a quick git grep sha1sum and > went from there ? > i saw SHA1SUM="openssl sha1" in configure script and wrote here. If it's ok for LO, then it's ok for me too. Sorry for inconvenience regards ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
On Fri, Feb 24, 2017 at 5:13 AM, Necdet Yücel wrote: > Hi, > > in configure script file integrity is checked by using sha1sums. You are sure about that ? or you just did a quick git grep sha1sum and went from there ? Norbert ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
Hi, in configure script file integrity is checked by using sha1sums. --- Necdet Yücel http://about.me/nyucel 2017-02-24 4:18 GMT+03:00 Norbert Thiebaud : > On Thu, Feb 23, 2017 at 10:54 AM, Necdet Yücel > wrote: > > Hi, > > > > Since SHA1 has been broken in practice [1] maybe we should consider to > move > > to safer alteratives, such as SHA-256. > > What are you talking about ? (yes I read the news this morning too, > but what concretely are you talking about in the context of this > project ? ) > > Norbert > ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: sha1sum problem
On Thu, Feb 23, 2017 at 10:54 AM, Necdet Yücel wrote: > Hi, > > Since SHA1 has been broken in practice [1] maybe we should consider to move > to safer alteratives, such as SHA-256. What are you talking about ? (yes I read the news this morning too, but what concretely are you talking about in the context of this project ? ) Norbert ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
sha1sum problem
Hi, Since SHA1 has been broken in practice [1] maybe we should consider to move to safer alteratives, such as SHA-256. Best regards [1] http://shattered.it/ --- Necdet Yücel http://about.me/nyucel ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice